The Tigger Trojan: Icky, Sticky Stuff

A relatively unknown data-stealing Trojan horse program that has claimed more than a quarter-million victims in the span of a few months aptly illustrates the sophistication of modern malware and the importance of a multi-layered approach to security.

When analysts at Sterling, Va., based security intelligence firm iDefense first spotted the trojan they call "Tigger.A" in November 2008, none of the 37 anti-virus products they tested it against recognized it. A month later, only one - AntiVir - detected it.

That virtual invisibility cloak, combined with a host of tricks designed to elude forensic malware examiners, allowed Tigger to quietly infect more than 250,000 Microsoft Windows systems, according to iDefense's read of log files recovered from one of the Web servers Tigger uses to download code.

iDefense analyst Michael Ligh found that Tigger appears designed to target mainly customers or employees of stock and options trading firms. Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.

iDefense said the Trojan is the first known malware to exploit a specific vulnerability Microsoft patched in mid-October 2008. That flaw is what's known as a "privilege escalation" vulnerability, in that it cannot be exploited remotely, and merely allows the attacker to gain access to the almighty "administrator" account in Windows.

That means that even if the user is running the system as I so often advise - under a limited user account that does not have permission to make changes deep within the operating system -- the presence of this unpatched vulnerability on a Windows system would let this invader override that protection.

While running Windows under a limited user account is a key step in keeping your system in its safest state, staying up-to-date on patches -- both fixes for the operating system and third-party software -- is still just as important. I would actually rank anti-virus a distant third protection mechanism, given how poorly most anti-virus tools seem to be faring against the latest malware families.

Read on after the jump for other "fun-fun-fun-fun-fun" facts about the "T-I-Double-Guh-Er" Trojan that hint at its motives and perhaps origin.

Update, Feb. 25, 5:00 p.m. ET:Byron Acohido, the Pulitzer Prize-winning cyber security reporter for USA Today, has published a fascinating yarn about the underground market for customized banking Trojans that is worth a read.

Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles. iDefense analysts say this is most likely done because the in-your-face "hey, your-computer-is-infected-go-buy-our-software!" type alerts generated by such programs just might tip off the victim that something is wrong with his system, and potentially lead to all invaders getting booted from the host PC.

According to iDefense, it also installs a "rootkit" on the infected system that loads even when the system is started up in "Safe Mode," the Windows diagnostic boot sequence that is supposed to disable non-essential Windows components to make troubleshooting system problems easier. A rootkit is a set of tools designed to allow malware authors to better hide their creations in host systems so that they are extremely stealthy and difficult to remove.

Finally, iDefense's Ligh said one aspect of this new Trojan suggests the authors behind the Srizbi botnet may have had a hand in developing or distributing it. As a result of the shutdown of hosting provider McColo in November 2008, the Srizbi botnet -- at the time responsible for sending more than 40 percent of the world's spam -- was cut off from the servers its masters used to control it. But Srizbi had a built-in mechanism to resurrect itself: it told all infected systems to seek out a rotating set of new domain names every few days, names that the bad guys could (and did) use to regain control over the botnet.

According to iDefense, Tigger uses a special key code to extract its rootkit on host systems, a lengthy key that is almost identical to the key used by the domain name generation feature built into the Srizbi botnet.

While the nearly matching keys may be nothing more than a coincidence, it is unusual to find data-stealing Trojans that remove other malicious software, Ligh said. Rather, such features are far more commonly found in bot programs typically used to turn systems into spam relays, such as the Srizbi botnet.

"The scary part is, none of us are really sure how Tigger is even being distributed," Ligh said. "I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."

I just finished an interesting battle with this one. On Sunday, I got a call from a man asking if I could look at his computer ASAP, as there were serious problems with it. He is active in the market, and needed his computer for Monday's session.

Almost none of my usual anti-malware, or diagnostics, would install. Some of the behavior was typical of a rogue security product, but there was no apparent rogue application.

I worked from 1PM until 8PM to get that machine cleaned. I had to go yesterday morning to finish repairing the damage caused by the infections, and get all of his programs running properly.

If it helps anyone in the future, a combination of VIPRE Rescue, asquared, Trojan Remover and Avira Antivir helped break the stranglehold, and allowed me to use some other products to fully clean the machine.

Malwarebytes antimalware and SuperAntiSpyware (two of my favorites) would not initially install (neither would Hijackthis). Once the first group of products ran and loosed things up, these apps eventually cleaned the machine.

Dawny, I guess time will tell. I hate to jinx things, but I have cleaned bad infections from quite a few machines (100, maybe), and have yet to have an issue with any of those machines. Of course, I have opted to reformat/reinstall some machines, too.

When I clean a machine, I take my time and attempt to get as many of the bits, as is possible. Then, I attempt to make the computer more secure, as well as faster and more efficient (without resorting to overclocking and such).

Then, I revisit each machine at least once, a couple weeks after the cleaning. Often, I make several return visits to check to see if the infection has returned, or morphed into something else.

Most of my clients say their computers run faster, and better, than they ever have. I know they are more secure.

No doubt there are infections that are best dealt with by reformatting/reinstalling. But the idea that it is the best course of action for every infection (a view shared by quite a few, it seems) is one I take issue with. I sent this article to my client with the infection described above. He read my comment and your response. His comment to me was this: "wouldn't want to let this same guy loose with a hacksaw around patients with an infected cut on their leg".

Now, you may be right, in this case...I hope not, though. Either way, the client will be better prepared if we need to resort to a reinstall, as he will have done a thorough backup, and hopefully be ready for the issues involved with a complete "operation", something very few people are ready for, when they get their first bad infection.

I'm sure my clients would rather pay me to back up, wipe, and re-install, which is something I can give a pretty good estimate on, rather than gamble on cleaning (which might not be successful). Unless the machine has an incredible amount of custom software, I doubt it would take me the 7 hours it took the first commenter, and I would be absolutely certain the machine was clean. With rootkits there is no other way IMHO to be sure you're clean.

@postcomment13, backing up, wiping and reinstalling is no guarantee whatsoever that the machine will be clean after wards. If you aren't able to identify the source of the infection when you clean the machine, you have absolutely no way to be sure that one of the re-installed programs isn't the source of the infection (there have been instances of commercial software distributions infected with viruses, you know) or that the source might be one of the restored data files. On most machines, it is easily going to take more than 7 hours to reload software, all appropriate updates, patches, etc. and get the computer re-configured to the customers preferences. Either way a large expense or a lot of hassle for the client.

You got that right, slgrieb. In the case I described above, it would have taken days, not hours, to reinstall the system, all the updates, all the programs and their updates...and all the customizations to all the programs. Add to that the fact the client didn't have any source for several of the programs available.

But, even given that, I offered to do a reinstall, as I thought it might be prudent, given the nature of the infection. I ended up cleaning the computer at the explicit direction of the client, who did not want a reinstall.

As for the "estimate" my clients are lucky, as I charge per job...not per hour. The small fee paid to me is all I ask, until the job is complete. That includes follow-ups and, if necessary, repeated cleanings, or reinstall. Many of my clients feel the need to pay me more than my fee, give me great cigars or bottles of wine, etc, for the work I do for them.

That's all I'll say on this matter, but I'd advise some posters to refrain from making assumptions about what we do, charge or what our clients prefer.

It wasn't anything special or complicated to remove if you've been working with malware for at least the last couple of years. As much as the media talks this Trojan up in regards to its "stealth-like" properties, it isn't any different than any other Trojan in how it operates.

While I find MalwareBytes to be one of the best removal apps out there, it is to be used as a base starting point or used as residual clean-up and not as a cure-all.

One technique I often use to remove malware and viruses is to boot the system with a Linux boot CD, like Ubuntu live CD, mount the NTFS file system and perform file operations there. The nice aspect of this technique is that the virus doesn't have the chance to be "active" during this process.